I.

1True/False questions
1. Predetermined goals, usually driven by customer needs, are attributes of the functional
perspective of a business.
a. True
b. False
2. Because ERP system adopt best practices in their design, organizations seldom need to
configure their ERP systems or acquire additional software to support their needs
a. True
b. False
3. Only large organizations should use the software framework to select appropriate systems
for their needs.
a. True
b. False
4. Corporate governance is concerned with management and has nothing to do with internal
control
a. True
b. False
5. Detective controls have built-in correction mechanism to reverse the effects of an error or
irregularity
a. True
b. False
6. A logical data flow diagram shows the people, places and things involved in a system
a. True
b. False <Physical DFD>
7. To remain competitive in the market, businesses of all sizes should adopt an ERP system.
a. True
b. False
8. To improve efficiency, one can choose to develop a particular type of system
documentation without losing too many details.
a. True
b. False
9. Ethic are how a person approaches and responds to an issue
a. True
b. False
10. SCM and CRM extend the internal capabilities of ERP systems to suppliers and
customers by capturing data of those suppliers and customers that the organization deals
with respectively.
a. True
b. False
11. In terms of IT governance, monitoring and evaluating IT means that an organization
should ensure that all systems and software are running smoothly and various hardware
are energy efficient.
 a. True
Monitoring and evaluating IT means that an organization implements IT governance
appropriately and remaining smoothly to coordinate/provide the best practice and control to
achieve organizational strategy.
b. False
12. Paying for the goods received is the sole objective of the expenditure cycle
a. True
b. False
13. Range checks can replace limit checks.
a. True
b. False
14. Cookies are often used to gather a customer’s online behaviour, but many organizations
do so without the informed consent of the customer.
a. True
b. False
15. Customers have the right to view data that an organization holds about them to make sure
that they are correct, and to demand that any errors be corrected.
a. True
b. false
16. ERP systems adopt a centralized database approach for data storage.
a. True
b. False
17. The performance of the expenditure cycle is determined by proportional amount of
discounts claimed
a. True
b. False
18. To ensure its efficiency and effectiveness, the internal control system should be
monitored by both internal and external parties.
a. True
b. False
19. Computer-based internal controls mainly depend on the design of relevant programs
rather than the control environment and general controls.
a. True
b. False
20. Gantt charts are also known as critical path charts.
a. True
b. False
21. Fraud is most likely to be detected by notification from employees.
a. True
b. False
22. To ensure its efficiency and effectiveness, the internal control system should be
monitored by both internal and external parties.
 a. True
b. False
II. MCQs
1. Corporate governance is
a. An internal control tool.
b. A factor influencing internal control
c. A substitute for internal control.
d. Part of the control environment
2. A major disadvantage of the hybrid systems is that they:
a. Are based on business events rather than financial events
b. Integrate only the financial and manufacturing areas of a business
c. Use independent software
d. Have not been able to provide seamless integration across the entire organization
3. Which of the following relates to corporate governance?
a. Goal setting
b. Risk management
c. Performance measurement and management
d. All of the above
4. The overall objective of the accounts payable phase in the expenditure cycle is to:
a. Maintain the accounts payable record
b. Pay the right people the right amount at the right time
c. Determine whether an invoice should be paid
d. Ensure suppliers are neither overpaid nor underpaid
5. In which component of the internal control system would you see a concern with hiring
and recruitment policies?
a. Control environment
b. Risk assessment
c. Control activities
d. Information and communication
6. When considering new opportunities for technology within the organization, it is critical
to consider
a. Whether the technology is the latest available
b. Whether the technology aligns with the overall organizational strategy
c. Whether the technology is user friendly
d. All of the above
7. A company discovers that an employee has created a fictitious vendor on the vendor
master file and the company has paid a total of $250.000 to this vendor through fake
invoices. This is an example of fraud in the:
a. Revenue cycle.
b. Inventory management cycle.
c. Expenditure cycle.
d. Cash receipts cycle.
8. Which of the following statements is not true?
 a. Top management sets the tone and example for ethical practice
b. Setting an example is an important part of promoting ethical behaviour in the
organization
c. Managers working with an AIS have a duty to ensure that the system is being
used appropriately.
d. It is only the lawyer’s responsibility to ensure that the organization and its
systems comply with federal and state laws relating to privacy and the usage of
information.
9. Which of the following technologies can provide accurate, timely and cost-effective data
sharing to the expenditure cycle?
a. RFID
b. SCM
c. EDI
d. CRM
10. Which of the following principles is not part of the principles for corporate governance
identified by the ASX Corporate Governance Council?
a. Respect the rights of shareholders
b. Keep disclosure of business information to a minimum
c. Safeguard integrity in financial reporting
d. Structure the board to add value
11. Which of the following data is not required by the expenditure cycle?
a. Inventory data and supplier data
b. Goods received data
c. Purchase order data
d. None of the above
12. Which of the following interpretations of the software categories is correct?
a. Systems are arranged in a chronological order (newer to older) from right to left
b. The distinctions among the categories are absolute.
c. The framework implies that systems to the right are more advanced than systems
to the left.
d. None of the above
13. IT governance is concerned with:
a. Ensuring that the correct IT investment is always made.
b. Controlling the use of IT within the organization.
c. Mandating selection procedures for new IT investments.
d. Policies and procedures helping to align the use of IT and strategy.
14. In corporate governance principles, remunerate fairly and responsibly means:
a. All board members should be paid the same amount of remuneration.
b. All employees of an organization should be paid fairly.
c. The organization should be able to demonstrate a clear link between company
performance and executive remuneration.
d. All of the above
15. Which of the following is not part of the four main objectives of IT governance?
 a. Ensuring the organization has appropriate management strategies and techniques
in place for dealing with IT related risks.
b. Ensuring that the IT being used or adopted within an organization is consistent
with the organisation’s goals and meets expectations.
c. Ensuring the organisation’s IT resources are sued responsibly.
d. Using IT to make the most of future business opportunities and benefits.
16. How a person approaches and responds to an ethical issues is termed:
a. Ethics
b. Morals
c. Critical thinking
d. Decision making
17. Which of the following should not be included in a context diagram?
a. External entities
b. System inputs
c. System outputs
d. Data store
18. Which of the following statement is incorrect?
a. The accounts payable phase needs to ensure that payments are made by
authorized employees only.
b. The accounts payable phase needs to ensure that payments are accurate and timely
c. The accounts payable phase needs to ensure that the accounts are settled as soon
as possible.
d. The accounts payable phase needs to ensure that all accounts payable liabilities
are recorded accurately and promptly.
19. Which of the following statement is true?
i. Ethical conducts must be legal
ii. Unethical conducts must be illegal
iii. Legal conducts must be ethical
iv. Illegal conducts must be unethical
b. Both A and B
c. Both C and D
d. Both A and D
e. Both B and C
20. Which of the following statements is true?
a. Corporate governance is only relevant at the level of the individual organization.
b. Corporate governance mechanisms can extend to the wider economy.
c. Corporate governance mechanisms do not relate to how an organization achieves
its goals.
d. Corporate governance mechanisms do not relate to how an organization monitors
and rewards organizational performance.
21. The comparison of actual and budgeted figures and the conduct of variance analysis to
determine the source of the variance is a type of:
a. General control
 b. Information processing control
c. Performance review
d. Application control
22. Customers complained to an organization about a system that billed them incorrectly. As
a result, the organization decided to implement a new billing system. This is an example
of identifying system development opportunities through:
a. User and stakeholder feedback
b. A periodic review of system operations
c. Observing the system in action by watching users
d. All of the above
23. Risk assessment is:
a. The process of scanning the organization for risks that could inhibit the attainment
of the organisation’s goals.
b. The process of scanning the organization and its environment for risks that could
inhibit the attainment of the organisation’s goals.
c. The process of scanning the organissation for risks that could inhibit the
attainment of the organisations
d. The process of scanning the organization and its environment for risks that could
inhibit the attainment of the organisation’s goals and devising appropriate
corrections.
24. The first step of ethical decision making is to:
a. Define the issue
b. Identify the principles that can be applied
c. Identify the facts
d. Any of the above
25. Which of the following statements is true?
a. Top management and internal auditors, rather than ordinary employees, are
involved in monitoring activities.
b. External auditors and regulatory bodies, rather than internal auditors, should be
involved in monitoring activities due to concerns of conflict of interests.
c. Monitoring a control system means checking the system occasionally to ensure
that the risks it addresses are still relevant and the controls are operating
effectively.
d. None of the above
26. Which of the following statements regarding ethical decision making is true?
a. The number of alternative courses of action should be restricted to a small amount
to avoid information overload.
b. When choosing from a set of alternative courses of action, the primary principle is
to look for the one that will minimize the chance of legal sanction.
c. Each alternative course of action needs to be evaluated from the perspective of the
different stakeholders.
d. All of the above.
27. Information about users of an AID can be gathered
 a. Without the consent of the users
b. With the informed consent of the users
c. With the implied consent of the users
d. All of the above
28. The investigation phase of the system development lifecycle is concerned with:
a. Identifying any problems with the current systems and the feasibility of the
responding to those identified problems
b. Identifying any opportunities with the current systems and the feasibility of
responding to those identified opportunities
c. All of the above
d. None of the above
29. Which of the following must be involved in each stage of systems development to ensure
that adequate internal controls are built into the new system as it is designed?
a. Executives
b. Internal auditors
c. External auditors
d. All of the above
30. An ERP system can be applied to the production/inventory process to balance _____ and
_____ of manufacturing.
a. Costs; benefits
b. Costs; efficiency
c. Costs; timeliness
d. Efficiency; timeliness
31. An ERP system can be applied to optimise the ___ and ____ of raw materials by
providing information to assist in the selection of the right material at the right cost from
the right vendor.
a. Cost; benefit
b. Cost; quality
c. Cost; timeliness
d. Quality; timeliness
32. When managing an organisation’s value chain, the downstream focuses on ____ whereas
the upstream focuses on _____.
a. Suppliers; customers
b. Shareholders; government agencies
c. Employees; managers
d. Customers; suppliers
33. There are five steps in selecting the appropriate software for an organization, being A)
Select software; B) Determine the software systems requirements; C) Define business
processes; D) Select vendor; E) Develop business requirements. The correct sequence is:
a. ECDAB
b. DECBA
c. ECBDA
d. CEBAD
34. Which of the following statement is incorrect?
a. Application controls are designed around the control objectives of a specific
business process or system.
b. Application controls operate within the scope of general controls.
c. Application controls only provides reasonable assurance that all transactions have
occurred, are authorized, and are completely and accurately recorded and
processed.
d. None of the above.
35. Which of the following principles is not part of the principle for corporate governance
identified by the ASX corporate Governance Council?
a. Respect the right of shareholders
b. Keep disclosure of business information to a minimum
c. Safeguard integrity in financial reporting
d. Structure the board to add value
36. An antivirus program scans and monitors files in a computer continuously for viruses.
This is an example of:
a. Preventive control
b. Detective control
c. Corrective control
d. Application control
37. The COBIT framework
a. Is only recognized in Australia and New Zealand.
b. Can only be adopted by large organisations
c. Is a framework for corporate governance
d. Is a framework for IT governance
38. Which of the following statements is true?
a. Good preventative controls should always be able to stop all risks from occurring.
b. Sometimes corrective control is the only option available.
c. Detective and corrective controls, when used together, can substitute preventive
control.
d. A mixture of preventive, detective and corrective controls should always be used.
39. An internal control system includes the control environment component. This is best
described as:
a. The overall attitude of awareness and actions of management to internal control.
b. The environment in which the business operates that it wishes to control to negate
any business risks.
c. The provision of sufficient information to enable employees to effectively operate
in their roles.
d. The monitoring of performance to ensure that the organisation’s control system is
still relevant and up to date
40. Which of the following is not a responsibility of the chief privacy officer?
a. Drafting organizational privacy policies
b. Lobby the governance for tighter privacy control
 c. Enforcing privacy policies and guidelines in the organization
d. Create an organizational awareness of privacy issues
41. Which of the following statement is not true?
a. Large organisations will find it hard for a simple accounting system to satisfy
their needs.
b. ERP systems are also suitable for small organisations
c. Medium-sized organisations are better of using mid-range accounting systems.
d. All of the above
42. System problems and opportunities cannot be identified through:
a. User and stakeholder feedback
b. A periodic review of system operations
c. Observing the system in action by watching users
d. Examining system documentations
43. Control environment is
a. The attitude, emphasis and awareness of an organisation’s management towards
internal control and its operation within the organization.
b. The attitude, emphasis and awareness of the government towards internal control
and operations within organisations.
c. The attitude, emphasis and awareness of the legislative entities towards internal
control and operations within organisations.
d. All of the above.
44. The assertion of cut-off would be at risk when:
a. The accounting information system accepts a value that is incorrect (e.g. 122
instead of 22).
b. The accounting information system accepts a fictitious sale.
c. The accounting information system includes a sale for the next financial year in
this year’s revenue figure.
d. A revenue item is classified as an expense when entering the transaction.
45. ERP systems can:
a. Assist in the value chain process by reducing costs or improve the quality of
performance of the value chain activities performed in the process.
b. Assist in creating value within the activities that are not part of the value chain.
c. Assist in creating value in the value chain process by removing non-value-adding
activities.
d. All of the above.
46. Which of the following statement is incorrect?
a. General controls operate across the organization.
b. General controls relate to the overall environment in which different information
systems are located.
c. General controls relate to specific applications and processes.
d. General controls affect the operation of various information systems within an
organization indirectly.
47. Which of the following statement is NOT true?
 a. Organisations with inadequate computing power should consider batch
processing.
b. Organisaitons with sufficient computing power should always use online real-
time data processing.
c. Online data gathering and batch processing is a compromise between online real-
time processing and batch processing.
d. None of the above.
48. Which of the following is not needed for a fraudulent act?
a. A reason
b. Pressure
c. A system with weak internal controls
d. An opportunity
49. Information processing controls are those that are put in place within the organization to
work towards the ___ of transactions.
a. Efficiency, effectiveness, and accuracy
b. Timeliness, efficiency, and completeness
c. Accuracy, completeness, and authorization
d. Authorization, processing, accuracy
50. Which of the following is NOT a form of physical control?
a. Servers are placed in a locked room.
b. A usename and a password are needed to log into a computer.
c. Security cameras are put in place.
d. None of the above.
51. Which of the following is an example of poor segregation of duties?
a. The inventory control department is allowed to receive incoming goods.
b. Warehouse personnel are allowed to ship goods to customers.
c. The purchasing department is allowed to generate purchase requisitions.
d. All of the above.
52. Technical feasibility does not involve:
a. Assessing how well the organisation’s existing technology infrastructure meets
the requirements of the proposed system
b. Assessing what new technology is required to meet the demand of the proposed
system
c. Assessing different design options for the proposed system and weighing them up
against the organisation’s existing technical recources and the recources that are
available for purchase
d. Assessing whether the organization has enough technological capability to
maintain the system.
53. Which of the following is NOT part of the enterprise value chain?
a. Human resources
b. Sales and marketing
c. Accounting and finance
d. Customer relationships
54. Which financial statement assertion is threatened when the organization has recorded
sales that didn’t take place?
a. Occurrence
b. Completeness
c. Accuracy
d. Classification
55. A new system:
a. Challenges worker competency
b. May be resisted by its users
c. Can make users feel that their jobs are threatened
d. All of the above
56. PERT charts and Gantt charts can be used to analyse
a. Financial feasibility
b. Technical feasibility
c. Schedule feasibility
d. Strategic feasibility
57. The task of selecting the most feasible alternative normally rests with:
a. The board of directors
b. The IT department
c. The systems development steering committee
d. The operation managers
58. Which of the following is the objective of a corporate governance system?
a. To ensure that minority shareholders receive reliable information about the value
of firms and that a company’s managers and large shareholders do not cheat them
out of the value of their investments
b. To motivate managers to maximize firm value instead of pursuing personal
objectives
c. To encourage companies to create value, through entrepreneurialism, innovation,
development and exploration, and provide accountability and control systems
commensurate with the risks involved.
d. All of the above
59. Which of the following controls can ensure that all software is properly licensed in an
organization?
a. Users are restricted from installing programs or running unauthorized programs
on their work computer.
b. Administrator rights and power user rights are not assigned to any common user.
c. Centralized deployment of software.
d. All of the above
60. An advantage of a single entry system for recording financial data is that it:
a. Allows streamlining of the financial function
b. Requires little accounting knowledge in order to be sued successfully
c. Integrates both operational and financial aspects of business performance
d. Is built around a business process based design
 Tự luận
8.8.For each of the following risks suggest a control that could be used to reduce it.
(a) Entering negative values for order quantity in a sales order

(b) Selling to a customer with an overdue account

(c) Ordering from a nonexistent supplier

(d) Paying for goods that have not been received

(e) Entering an alphanumeric customer ID when the business policy is for numeric customer IDs

(f) Misappropriation of goods by receiving staff, who also maintain inventory records

(g) Ordering too much of a product

Risk Reason Control

Entering negative values for order quantity in a sales order
Result in incorrect inventory It could be a result of data entry Firstly, set up automated
levels, Lead to stockouts or errors, misunderstandings by the validation checks to ensure that
excess inventory, lost sales, sales representative, or intentional negative values are not entered
increased carrying costs, and fraud. into the system.
decreased profitability, leading to
Secondly, implement a sales order
incorrect shipments and
review process.
dissatisfied customers.
Thirdly, train their sales
representatives to identify and
correct data entry errors and to
report any suspicious activity.
Selling to a customer with an overdue account
Customers may not be able to pay Set up automated alerts, establish
Non-payment can lead to cash bills on time due to financial credit limits, and implement a
flow issues, reduced profitability, difficulties. collection process to follow up
and even bankruptcy. with customers who have overdue
accounts.
Ordering from a nonexistent supplier
The primary risk of fraudulent Ordering from a nonexistent Establish a vendor onboarding
transactions is the loss of money supplier can be intentional fraud or process, purchase order approval
and resources, as well as the need a genuine mistake, such as a typo or process, multiple approvals for
to locate and resolve issues. error in the supplier database. large or unusual purchases, and
 regular audits of purchasing
activities to detect irregularities.
Paying for goods that have not been received
The primary risk of non-delivery Intentional fraud or error in the Establish a rigorous purchase
of goods is financial losses and processing of invoices can lead to a order approval process, a three-
potential supply chain disruptions, business being defrauded. way matching process, and
as well as reputational damage. regular audits of purchasing
activities to detect irregularities.
Entering an alphanumeric customer ID when the business policy is for numeric customer IDs
Alphanumeric IDs can lead to Non-compliance with business Establish a customer ID format
errors and confusion among policy can lead to data entry errors. policy, automate validation
employees. checks, and perform regular
audits to ensure compliance.
Misappropriation of goods by receiving staff, who also maintain inventory records
Financial losses due to theft or Employees may manipulate Establish segregation of duties,
fraud can lead to inaccuracies in inventory records to cover up theft physical inventory checks, and a
inventory records. or fraud due to lack of control. system of checks and balances to
ensure accuracy and accuracy of
inventory records.
Ordering too much of a product
Excess inventory can lead to Over-ordering can be caused by Establish an inventory
increased costs, reduced inaccurate forecasting, management system, purchase
profitability, and potential miscommunication, or intentional order approval process, and clear
obsolescence. over-ordering. communication channels to
ensure coordination and
alignment between departments.

a) Using the COSO framework, the following control activities could be implemented within the
sales process to overcome the risks involved:
a. Sales to customers who have exceeded their credit limit:
♥ Implement an automated credit limit check system that prevents sales orders from being
processed for customers who have exceeded their credit limit.
♥ Provide sales staff with training on how to recognize customers who may be at risk of
exceeding their credit limit.
b. Large transactions taking place without proper approval:
 ♥ Implement a purchase order approval process that requires multiple levels of approval for
large transactions.
♥ Provide sales staff with training on how to recognize when a transaction may require
additional approval.
c. Fraudulent sales of low value entering the system:
♥ Implement an automated validation check that compares each sale to a minimum
transaction value and flags any sales that fall below this threshold for review.
♥ Provide sales staff with training on how to recognize and report suspicious sales activity.
d. Goods being shipped without proper authorization:
♥ Implement a system that requires sales orders to be authorized by the warehouse before
goods can be shipped.
♥ Provide sales staff with training on how to ensure that sales orders are properly
authorized before goods are shipped.
e. Sales orders going missing between salesperson and warehouse:
♥ Implement a system that tracks the movement of sales orders from salesperson to
warehouse and flags any missing orders for investigation.
♥ Provide sales staff with training on how to properly handle and track sales orders.
f. Customers' records containing nonexistent customers:
♥ Implement a system that checks the validity of customer information entered into the
database, such as checking for duplicate entries or verifying customer information against
external databases.
♥ Provide sales staff with training on how to identify and correct data entry errors, and to
report any suspicious activity related to customer information.
(b) For each control activity identified in (a), the following information and communication and
monitoring processes could be implemented:
a. Automated credit limit check system:
♥ Information and communication: Provide sales staff with access to the credit limit check
system and train them on how to use it.
♥ Monitoring: Conduct regular audits of credit limit checks to ensure that they are being
performed correctly, and investigate any instances where the system has been bypassed.
b. Purchase order approval process:
 ♥ Information and communication: Provide sales staff with the purchase order approval
process and train them on how to follow it.
♥ Monitoring: Review purchase orders regularly to ensure that they have been approved by
the appropriate personnel, and investigate any instances where the process has been
bypassed.
c. Automated validation check:
♥ Information and communication: Provide sales staff with access to the automated
validation check system and train them on how to use it.
♥ Monitoring: Conduct regular audits of sales transactions to ensure that they are being
validated correctly, and investigate any instances where the system has been bypassed or
overridden.
d. Authorization system:
♥ Information and communication: Provide sales staff with the authorization system and
train them on how to use it.
♥ Monitoring: Monitor the authorization system regularly to ensure that salesorders are
being properly authorized by the warehouse, and investigate any instances where goods
have been shipped without proper authorization.
e. Sales order tracking system:
♥ Information and communication: Provide sales staff with the sales order tracking system
and train them on how to use it.
♥ Monitoring: Monitor the sales order tracking system regularly to ensure that sales orders
are being properly tracked and investigate any instances where sales orders have gone
missing.
f. Customer data validation system:
♥ Information and communication: Provide sales staff with access to the customer data
validation system and train them on how to use it.
♥ Monitoring: Conduct regular audits of customer data to ensure that it is being entered
correctly and that customer information is being validated against external databases, and
investigate any instances where customer data has been entered incorrectly or is not valid.
Overall, implementing these control activities and monitoring processes can help Truly Legit to
manage the risks associated with their sales process and ensure that they are operating in a
controlled and efficient manner. Monitoring should be conducted through regular audits and
investigations of any suspicious activity that is identified. Additionally, communication and
training should be provided to sales staff to ensure that they understand the controls in place and
 how to follow them correctly. This will help to reduce the likelihood of errors, omissions, or
fraudulent activity within the sales process.

Manual/
Control General/ Control
Risk Internal Control Computeriz
Present? Application Goal
ed

1. Unauthorize Access control

Computerize
d access to the system requiring Present Application Security
d
system strong passwords

Regular audits of
Computerize
user access Missing Application Security
d
and activity logs

Two-factor Missing Application Security Computerize

 Manual/
Control General/ Control
Risk Internal Control Computeriz
Present? Application Goal
ed

authentication for
d
high-risk systems

Prohibit installation
of unauthorized soft
Present General Compliance Manual
ware on company
2. Use computers
of unauthorized
software Periodic scans of
company computers Computerize
Missing Application Compliance
for unauthorized d
software

Employee training
on the risks of
installing Missing General Awareness Manual
unauthorized
software

Validation of
customer details Computerize
Present Application Accuracy
before proceeding to d
the next screen

Automated data
3. Errors in validation for Computerize
Missing Application Accuracy
data entry common errors (e.g. d
incorrect postcode)

Employee training
on the importance
Missing General Awareness Manual
of accurate data
entry
 Manual/
Control General/ Control
Risk Internal Control Computeriz
Present? Application Goal
ed

Validation of
Computerize
numeric values for Present Application Accuracy
d
quantities ordered

Automated data
validation for Computerize
Missing Application Accuracy
common errors (e.g. d
negative quantities)
4. Errors in
quantity
ordered Employee training
on the importance of
Missing General Awareness Manual
accurate quantity
entry

Requiring a second
employee to verify
Missing Application Accuracy Manual
quantities for high-
value orders

● For the first risk, in addition to the control of requiring strong passwords, regular audits of
user access and activity logs can help identify any suspicious activity or unauthorized access
attempts. Additionally, two-factor authentication can be implemented for high-risk systems to
provide an extra layer of security. Both of these controls are missing in the case.
● For the second risk, prohibiting the installation of unauthorized software is a general
control that can be enforced through company policies. However, periodic scans of company
computers for unauthorized software and employee training on the risks of installing
unauthorized software are missing controls that can help ensure compliance with this policy.
● For the third risk, validating customer details before proceeding to the next screen is an
application-based control that can help ensure accuracy. However, automated data validation
for common errors (such as incorrect postcodes) can provide an additional layer of validation.
Employee training on the importance of accurate data entry can also help reduce errors.
● For the fourth risk, validating numeric values for quantities ordered is an application-based
control that can help ensure accuracy. Automated data validation for common errors (such as
negative quantities) can provide an additional layer of validation. Requiring a second employee
 to verify quantities for high-value orders can also help ensure accuracyin cases where errors
could result in significant financial loss or customer dissatisfaction.
In summary, implementing a range of internal controls can help mitigate risks in a business
process and improve the effectiveness of internal controls. The COSO framework provides a
useful tool for identifying risks and implementing appropriate controls to address those risks.
By following this framework, organizations can enhance their ability to achieve their
objectives, protect against fraud and mismanagement, and comply with applicable laws and
regulations.
8.18. CPA Australia’s advisory guide on employee fraud identifies some typical ways that fraud
is carried out. These included:116
(a) creating 'ghost’ employees or not deleting ex-employee records and having the salary of
these ‘ghost’ employees paid into the fraudster’s bank account
(b) creating bogus suppliers, with payment being made to the fraudster's bank account
(c) creating bogus purchase orders of a bona fide supplier and substituting the supplier's bank
account details with fraudster's bank account details
(d) obtaining kickbacks or bribes from suppliers or contractors (as an inducement to purchase
from them) (e) associates of the staff providing services to the business at inflated prices
(f) personal use of business resources
(g) inflated/bogus reimbursement claims
(h) manipulation of financial data to receive performance-based bonuses
(i) faking time sheets
(j) private purchases through business accounts/business credit cards
(k) providing discounted (or free) goods or services to friends and associates.
R e q u ire d For each of the above:
(i) Suggest a possible application control that could deal with the fraud.
(ii) Classify the control as preventive, detective or corrective and justify your
classification.
(iii) (iii) Explain how the control addresses the fraudulent activity.

Suggested Control
Fraudulent Activity Explanation
Application Control Type

(a) Creating 'ghost' employees Segregation of Preventiv By separating the HR and payroll
or not deleting ex-employee duties: HR and Payr e functions, it reduces the risk of an
 Suggested Control
Fraudulent Activity Explanation
Application Control Type

records and having the salary of individual being able to create 'ghost'
these 'ghost' employees paid oll employees and have their salary paid
into the fraudster's bank account into their own bank account.

By regularly reviewing and

(b) Creating bogus suppliers, verifying vendor information, it reduces
Vendor master file Preventiv
with payment being made to the the risk of creating bogus suppliers and
maintenance e
fraudster's bank account making payments to the fraudster's
bank account.

(c) Creating bogus purchase

By tracking and approving each
orders of a bona fide supplier Purchase
Preventiv purchase order, it reduces the risk of
and substituting the supplier's order tracking and
e creating bogus purchase orders and
bank account details with approval
substituting bank account details.
fraudster's bank account details

By having a clear anti-bribery

(d) Obtaining kickbacks or andcorruption policy in place, it sets the
bribes from suppliers or Anti-bribery and Preventiv expectation for employees and reduces
contractors (as an inducement to corruption policy e the likelihood of them accepting
purchase from them) kickbacks or bribes from suppliers or
contractors.

By having a vendor selection and

(e) Associates of the staff Vendor
Preventiv approval process in place, it reduces the
providing services to the selection and approv
e risk of associates of staff providing
business at inflated prices al process
services at inflated prices.

Monitoring of By monitoring the usage of business

(f) Personal use of business
business resources Detective resources, it enables the detection of
resources
usage any personal use by employees.

By implementing an expense claim

(g) Inflated/bogus Expense claim management system, it enables the
Detective
reimbursement claims management system detection of inflated or bogus
reimbursement claims.

(h) Manipulation of financial Segregation of Preventiv By separating the data entry and
 Suggested Control
Fraudulent Activity Explanation
Application Control Type

approval functions, it reduces the risk

data to receive performance- duties: data entry of individuals manipulating financial
e
based bonuses and approval data to receive performance-based
bonuses.

Automated time By implementing an automated time

(i) Faking time sheets and attendance Detective and attendance system, it enables the
system detection of faked time sheets.

By regularly reconciling business

(j) Private purchases through Reconciliation of
accounts and credit cards, it enables the
business accounts/business business accounts Detective
detection of any private purchases made
credit cards and credit cards
by employees.

By implementing a clear approval and

Approval and monitoring process for discounts and
(k) Providing discounted (or
monitoring of Preventiv free goods/services, it reduces the risk
free) goods or services to
discounts and free e of employees providing them to friends
friends and associates
goods/services and associates without proper
authorization.